A new malware named OpcJacker has been using the disguise of a VPN to trick users into downloading and running it on their system.
OpcJacker was discovered by experts at cybersecurity firm Trend Micro, who report that it first appeared in the wild in the second half of 2022, and it is still actively distributed through malvertizing.
Posing as VPN Product
OpcJacker has been spread via various campaigns, previously abusing known cryptocurrency wallet apps. Starting in February 2023, the threat actors adopted an infection chain that relies on malvertisments promoting a VPN service.
The site used by the threat actors was copied from a legitimate VPN service provider, and the file the victims download from it contains a VPN installer, but it’s trojanized with malware too.
To evade getting banned from Google’s automated security crawlers, the victims download the malicious archive from a second website, where they land after a redirection when clicking on the “Get Started” button on the landing page.
Interestingly, at this stage, the site checks the victim’s IP address, and if it finds that they use a legitimate VPN service, the redirection doesn’t happen, and the attack does not proceed.
The main functions of OpcJacker include keylogging, screenshot snapping, stealing data stored in web browsers, performing clipboard hijacking to divert cryptocurrency payments, and loading additional modules from the C2.
Additionally, OpcJacker can establish persistence on the compromised system by performing the necessary registry modifications on Windows.
Two modules downloaded from the command and control server are the NetSupport RAT and hVNC. The first one is a legitimate remote access tool that is heavily abused by threat actors in malicious operations. The second, hVNC (hidden Virtual Network Computing), is a VNC variant that allows threat actors to stealthily perform actions on the breached device.
In this particular case, hVNC is also loaded with extra functions to target cryptocurrency extensions running on the victim’s web browsers, supporting Chrome, Edge, and Firefox.
In general, the motive of the attack based on the malware’s features appears to be purely financial.
Users can protect themselves from these attacks by only downloading VPN software from the official websites of the vendors. Those can be found after all promoted results on Google Search, the project’s Wikipedia page, or VPN-focused websites hosting product reviews and promotions like RestorePrivacy.